So it took me awhile to take the course I won back in February 2011 due to scheduling issues and course cancellations but I just finished it this past Friday and wrote a review at my blog. Let me know what you think.

Thanks EH.net for the great opportunities!

I checked out your blog and found your Scapy guide. I haven't read the whole thing yet but so far I like! Great resource for folks trying to learn Scapy.

I sort of did at http://www.ethicalhacker.net/component/option,com_smf/Itemid,54/topic,9048.msg50370/#msg50370

Thanks for the repost though

That's pretty awesome m0wgli, thanks for the share. Definitely something that needs to be considered. I'll have to check out my own machine when I get to the office.

Yep Andrew, like anything else requirements may vary from engagement to engagement. Some customers will want you to retain data for a year, others may require that it never leaves the customer site, all testing done from corp owned machines and pay more to allow you to write the report onsite and providing a machine to do so.

As for the RGE line, I think that came from a DR class I took several years ago when I worked in state govt. I've used it ever since.

Agreed Hayabusa, but there are instances where the contract stipulates the pentester maintain copies of the report and associated notes for a predetermined period. We do this sometimes because we get 3 or 4 months into a remediation cycle and someone has a question about a particular finding and I know of some organizations that have to do this because remediation cycles are horrendously long, think Big Pharma for instance. Pentesters can't always remember why a particular finding wound up in the report, especially if it was a less than stellar report but if they can go back to tool output or notes, packet captures, etc they can provide additional clarification around the issue ar at least provide enough context where the organization can make a conscious risk decision regarding the finding. Ideally, sufficient context goes into the report to make this a a non-issue but ops will frequently look for any reason to not have to fix whatever it is we are telling them to fix. I'd prefer it always be like you said, but the reality is the operational side of the business doesn't always feel we are on the same side. Antagonistic relationships can develop especially when you are calling someone's baby ugly or asking them to do more work.

It's probably the best idea to have the pentest firm destroy all data and require all associated notes, pcaps, etc be delivered to customer as part of the deliverable package (but not in the report). I have been known to change requirements around depending on who was conducting the test or which assets were within the scope as a conscious risk decision. (external business partner stakeholders, scope too narrowly defined that doesn't take into account other contextual activities, etc)

I just had a blog post I wrote published at the SANS Pentest Blog entitled Avoiding Pentest DOOM: Protecting Customer Data where I discuss several ways you may be violating NDA's or mishandling customer data along with well defined solutions for addressing these very common failings. Check it out and tell me what you think.

http://pen-testing.sans.org/blog/2012/09/24/avoiding-pen-test-doom-protecting-customer-data

Also it doesn't stop at the directory you are currently viewing. Just because the current directory doesn't display anything interesting doesn't mean that $path/../../../../../etc/passwd isnt viewable (have to play with the path's here, can sometimes be loaded by script paths, templates, cookies, hidden form fields, etc.) Check out https://www.owasp.org/index.php/Testing_for_Path_Traversal for more info.

I have a few of these scripts in Powershell I posted to my blog at http://sentinel24.com/blog/?page_id=51 . One example recurses through a file structure and adds permissions for a user

(FYI - I use the long form for Powershell syntax when writing tutorials but you can make this much shorter using gci, gwmi, ft, etc)


Obviously this won't work for services, so how to accomplish the same thing?

First I want to enumerate services, but I want to sort based on startmode and name and suppress everything except for the service name. (no status or table headers for example)


I'm not 100% sure what you are hoping to accomplish here, but if you wanted to add an account entry for each of those you can combine the 2 scripts into something like


http://ss64.com/nt/subinacl.html has additional subinacl syntax and is what I used when writing the scripts at my blog.

*Edit* While my way is more fun (I am addicted to making Powershell 1 liners!), I'd suggest checking out ajohnson's suggestion as that's probably closer to what you are looking for.

While I have not taken the OSCP curriculum, I have done a lot of other training. My biggest complaint is being spoonfed material. It makes for an easy and fun class but it's not helpful. When I encounter systems in the real world there is rarely a ready howto that takes into account all the avenues of attack for that system or one that addresses the unique contextual environment of that system. It is for this reason that I intend for OSCP to be one of my next certifications.

There are plenty of certified pentesters that don't know how to do more than run automated tools. What you are complaining about is in my opinion the defining characteristic for the OSCP and why it is so well respected in the community. If it is giving you that much heartburn, then perhaps you are pursuing the wrong career path. Pentesting is 60% research, 30% writing reports and only about 10% actual exploitation/post exploitation. (OK my percentages may be a little off but you get the point) If you do not enjoy research then you may want to rethink your career choices.

*edit* After re-reading this post it appears I am bashing other training providers. That's not entirely the case but wanted to clarify here. I highly value the SANS training I've attended, and will usually use them as the defacto technical security training for any of my new hires. But there's no denying you don't work as hard for the material. My style of learning is such that anything that causes me significant pain tend to remain in my brain longer.

I definitely agree about Glassdoor. I find it useful, but not as a sole source. For instance, I was considering a job change about a year ago with a large security company. I checked out the reviews on glassdoor and saw about 8 unique profiles, all sales people, complaining about how "fastpaced" the environment was. Several indicated they were expected to come in on Sunday to organize upcoming weeks sales objectives, and typically worked 60+ hours a week. If you didn't, you got let go. That was very informative to me, even though I'm not a sales guy it told me a lot about their culture and what they typically expect from employees. It also told me they didn't really care about their people very much. That's not a place I want to work.

It's just like any security finding. You can't prove that the absence of the finding (management deleted bad comments or application was implemented in nonstandard way you did not test for) means the vulnerability does not exist. But when you have confirmed findings, especially when you can correlate those with other external sources, those have value that provide actionable intelligence. I can do something with that. Glassdoor is no exception.

Something we don't talk about a lot is confidence levels. How confident are you in your finding? With a penetration test, what may be a low confidence level from an automated scanner becomes high confidence once you exploit the vulnerability and pilfer sensitive data. When researching a company as a prospective employer, you almost never get the chance to achieve that level of confidence.

As far as the startups I did not get hired at, they were a similar environment to the one I mentioned above. Some really neat perks like onsite barrista free for employees, free Friday lunch, MBP and iPhone for everyone, etc but the work output expected was insanity. I need time in my work week to do independent research, stay current on issues, etc. Maybe it's unfair to expect my employer bear the cost of that, but while I can find employers who will, that is where I will naturally gravitate. That has more value to me than an extra 5 or 10k salary each year.

I've actually lost out on jobs with startups by overdressing for the interview. Don't just research what they do, try to learn about their culture through such sites as http://www.glassdoor.com/index.htm or Linkedin contacts that work there, friends, recruiter, etc. We pass over candidates all the time where I work that blow the technical questions out of the water because we don't think they will be a good fit for our culture. Wearing a suit to a jeans and t-shirt work environment interview may make you seem stuffy. The rest of this advice is very sound though.

I've done this in the past and just locked down SSH and created a lower privileged user, modify visudo, etc. Even doing so, you are running a crapton of services and often times older vulnerable versions of software. I'd be very careful here. You will get the same benefit from just running Ubuntu. I'd recommend running Ubuntu as baremetal OS and then running a BT5 VM or booting off USB/DVD when you need it.

For the practice tests yes, and it explains why that was the wrong answer. On the real exam, you get an update every 15 questions that gives you your current percentage. So if you answer the first 5 wrong, that first update will say 67%, then get the next 15 right, it will update after question 30 to show you are at an 83%. It used to update every question, but that was changed in the last year in an attempt to comply with standards set forth by ANSI/ISO.

Double or triple encoding messages is fun. I used to make my passwords Sha1 or MD5 hashes of my passphrase so if they got cracked it still looked like a hash. I did a CTF recently that I had to decode a string 5 times using the Burp decoder before I got to the plain text. Fun stuff!

Btw, I think you mean Godwin's law.